Andrea SERVIDA European Commission DG INFSO.A3 Update on EU policy on Network and Information Security & Critical Information Infrastructures Protection Brussels 15 February 2011

COM(2001) 298 final - Network and Information Security: Proposal for A European Policy Approach Network and information security is defined as “the ability of a network or an information system to resist, at a given level of confidence, accidental events or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems” Network and information security (NIS)

Increasing economic and social dependency on ICT vs growing sophistication of threats Network and Information Security (NIS) is a key enabler for trust and is a shared responsibility. Global interconnection vs lack of transnational cooperation Operational responsibility with private sector while public policy responsibility lies with governments Limited incentives for wide NIS uptake Fragmentation of NIS regimes and market maturity in MS Network & Information Security (NIS) Facts

Make security and resilience the frontline of defence of critical ICT infrastructures (e.g. importance of preventative approaches & measures) Develop a risk management culture in the EU Identify socio-economic incentives Promote openness, diversity, interoperability, usability, competition NIS calls for a global collaborative and operational approach Build a capability and policy framework for NIS in Europe (e.g. EU early warning system) Boost policy and operational cooperation (e.g. pan-European security incident exercises) Network and Information Security (NIS) Challenges

Online trust and security identity theft privacy concerns cybercrime spam low trust = low use European Network and Information Security Agency Computer Emergency Response Teams Cybercrime centre A Digital Agenda for Europe-COM(2010)245

KA 6 (28) NIS Policy ENISA EU institutions CERT ToolBox 38 – Network of CERTs by – EU cyber- security preparedness 39 – MS Simulation exercises as of 2010 Regulation for mandate and duration ENISA ………………………… EFMS …………………………. EP3R ……………………….. Observer in Cyberstorm. EPCIIP ……………………….. CIIP Conference Expert Group 32 –Cooperation on cybersecurity 41 – National alert platforms by – EU platform by – Create European Cybercrime center Cybercrime Cybersecurity preparedness 37 –Dialogue and self- regulation minors 36 – Support for reporting of illegal content 40 –Harmful content hotlines and awareness campaigns Safety and privacy of online content and services Overview of Pillar 3 “Trust and Security” 35 – Implementation of privacy and personal data protection 34 – Explore extension of personal data breach notification INFSO CdF HOME CdF Others COM CdF Commission action Member States action KA 7 (29)– Measures on cyberattacks KA 6 (28)

Network and Information Security (NIS) The EU Policy Framework 2004:Establishment of ENISA 2006:European Commission Strategy for a Secure Information Society - COM(2006) : Council Resolution on a Strategy for a Secure Information Society in Europe [2007/C 68/01] 2008:Extension of ENISA’s mandate and launch of a debate on increased NIS Mar 2009:European Commission’s proposal for an Action Plan on Critical Information Infrastructure Protection - CIIP - Nov 2009:Adoption of the revised telecoms regulatory package integrating provisions on security Dec 2009:Council Resolution on a collaborative European approach to NIS [2009/C 321/01] Dec 2009:EESC Opinion on the Communication on CIIP May 2010:Adoption of the Digital Agenda for Europe [COM/2010/0245] Sep 2010:Proposal to reform ENISA [COM(2010) 521 final]

Communication on CIIP - COM(2009)149 Objectives and scope High level objectives –Protect Europe from large scale cyber attacks and disruptions –Promote security and resilience culture (first line of defence) & strategy Means / Scope –Enhance the CIIP preparedness and response capability in EU –Promote adoption of consistent preventive, detection, emergency and recovery measures

CIIP Policy - COM(2009)149 The Five Pillars of the CIIP Action Plan 1. Preparedness and prevention –European Forum for MS to share information & policy practices - EFMS –European Public Private Partnership for Resilience EP3R –Baseline of capabilities and services for National/Governmental CERTs 2. Detection and response –Development of a European Information Sharing and Alert System – EISAS dedicated to EU citizens and SMEs 3. Mitigation and recovery –National contingency planning and exercises –Pan-European exercises on large-scale network security incidents –Reinforced cooperation between National/Governmental CERTs 4. International Cooperation –Define European priorities, principles and guidelines for the long term resilience and stability of the Internet –Promote the principles and guidelines at global level –Global cooperation on exercises on large-scale Internet incidents 5. Definition of criteria for the identification of European Critical Infrastructures in the ICT sector

Council Resolution of 18 December 2009 on a collaborative European approach to NIS The Council Resolution invites Member States to: –Organise national exercises and participate to European exercises –Create CERTs and reinforce cooperation between national CERTs –Increase efforts on education, training and research programmes –Jointly react to cross-border incidents The Council Resolution invites the European Commission to: –Initiate an awareness raising campaign with ENISA regarding the importance of appropriate risk management –Identify incentives for providers of electronic communications –Encourage and improve multi-stakeholder models –Come forward with a holistic strategy on NIS including proposals for a reinforced and flexible mandate for ENISA –Analyse in which areas further cooperation between CERTs is called for The Council Resolution calls on ENISA to: –Support the implementation of NIS policies + CIIP Action Plan –Develop a framework of statistical data on the state of NIS in Europe

The CIIP Action plan State of Play of the Implementation European Forum for Member States – EFMS - To share information & policy practices and define strategic objectives and priorities –Long term resilience and stability of the Internet –Criteria to identify European Critical Information Infrastructures –Long term strategy on pan-European exercises European Public Private Partnership for Resilience - EP3R –Objectives, principles and structure –Three working groups established in Nov st Pan-European exercises on large-scale network security incidents organised on 4th of November 2011 Cooperation between National/Governmental CERTs –Identification of baseline of capabilities and services International Cooperation –Promote resilience and stability of Internet at global level –Global cooperation on exercises

DAE trust and security actions and CIIP pillars

Established in March 2004 for 5 years Main objective: assist the Commission and the MS, and in consequence cooperate with the business community, in order to help them to meet the requirements of NIS Key tasks: collect information, risk analysis; develop ‘common methodologies’; track the development of standards contribute to raising awareness; promote ‘best practices’ and ‘methods of alert’; enhance cooperation between stakeholders; assist Commission and MS in dialogue with industry; advice the Commission on research; contribute to international cooperation Extension for 3 years [EP and Council Regulation n. 1007/2008 of 24/09/2008] until 13/03/2012 European Network and Information Security Agency (ENISA)

WS1 : ENISA as facilitator for improving cooperation WPK 1.1: Supporting Member States in implementing article 13a WPK 1.2 : Preparing the Next Pan-European Exercise WPK 1.3: Reinforcing CERTs in the Member States WPK 1.4: Support CERT (co)operation on European level WPK 1.5: Good practice for CERTs to address NIS aspects of cybercrime WS2 : ENISA as competence centre for securing current & future technologies WPK 2.1: Security & Privacy of Future Internet Technologies WPK 2.2: Interdependencies and Interconnection WPK 2.3: Secure architectures & technologies WPK 2.4: Early warning for NIS WS3 : ENISA as promoter of privacy & trust WPK 3.1: Identifying and promoting economically efficient approaches to information security WPK 3.2: Deploying privacy & trust in operational environments WPK 3.3: Supporting the review and implementation of the ePrivacy Directive (2002/58/EC) WPK 3.4: European Cyber Security Awareness Month ENISA – Work programme 2011

30 September 2010:  Adoption by the Commission of its proposal for a Regulation concerning ENISA Main objectives of the proposal:  To reinforce and modernise the mandate of ENISA  To extend it with five years Option 3 is the preferred policy option among the five options considered in the impact assessment => Expansion of functions currently defined for ENISA and adding law enforcement and privacy protection agencies as fully fledged stakeholders Proposal based on Art. 114 TFUE The proposal to modernise ENISA COM(2010) 521 final

Compared to the current Regulation, key changes introduced by the proposal to help ENISA carry out its missions  More flexibility, adaptability and capability to focus  Better alignment with the EU regulatory process  Interface with fight against cybercrime  Strengthened governance structure  Simplification of procedures  Possibility to extend mandate of Executive Director  Gradual increase of resources The proposal to modernise ENISA COM(2010) 521 final

A Triple Play for a modernised ENISA COM(2010) 521 final Knowing better Assist MS and EU Institutions in collecting, analysing and disseminating NIS data (regularly assess NIS in Europe) Cooperating better Facilitate cooperation, dialogue and exchange of good practice among public and private stakeholders (risk management, awareness, security of products, networks and services, etc) Working better Provide assistance, support and expertise to the Member States and the European institutions and bodies (cross border issues, detection and response capability, Exercises, etc.)

ENISA in the EU context

EU-U.S. WG on Cybersecurity and Cybercrime Priority areas 1.Public – Private Partnerships (PPP) 2.Cyber Incident Management 3.Awareness Raising 4.Cybercrime  Outreach to other regions or countries To share approaches, avoid duplication of effort, facilitate a joint approach in international fora

EU-U.S. WG on Cybersecurity and Cybercrime Public-Private Partnership “This area would focus on providing a coherent environment for cooperation between the public and private sector in the EU and the U.S. This area would also include a focus on the protection and resilience of critical information infrastructures from a cybersecurity perspective including enhancing the security of and reducing the cyber risk to networked industrial control systems.”

EU-U.S. WG on Cybersecurity and Cybercrime Cyber Incident Management “This area would focus on cyber incident response and enhanced collaboration between national/governmental computer security incident response teams (CSIRT) in Europe and the US. Cybersecurity exercises, to include regional exercises and a possible synchronized trans-continental exercise in 2012/2013, would also be included to evaluate incident management processes. ”

EU-U.S. WG on Cybersecurity and Cybercrime Awareness raising “This area would focus on a sustained effort to raise awareness about cybersecurity and related cybercrime issues with key stakeholders in member states and in the US. This area would focus on developing coordinated activities with respect to awareness raising to enhance efficacy and increase impact.”

EU-U.S. WG on Cybersecurity and Cybercrime Cybercrime “This area would also focus on continued relationships building and cooperation among law enforcement partners. In addition, this may address child exploitation online.”

Web Sites A Digital Agenda for Europe agenda/index_en.htm agenda/index_en.htm Commission to boost Europe's defences against cyber- attacks emlongdetail.cfm?item_id= emlongdetail.cfm?item_id=6190 EU policy on promoting a secure Information Society _en.htm _en.htm EU policy on Critical Information Infrastructure Protection – CIIP egy/activities/ciip/index_en.htm egy/activities/ciip/index_en.htm The reformed Telecom Regulatory Framework - November omorrow/index_en.htm omorrow/index_en.htm

EU Policy on NIS and CIIP Thanks!